Amazon SCS-C02 Exam Practice Test Instant Access

Question 1

A medical company recently completed an acquisition and inherited an existing AWS environment. The company has an upcoming audit and is concerned about the compliance posture of its acquisition.

The company must identify personal health information inside Amazon S3 buckets and must identify S3 buckets that are publicly accessible. The company needs to prepare for the audit by collecting evidence in the environment.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

AEnable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

BUse AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

CEnable AWS Audit Manager. Create an assessment by using a supported framework.

DEnable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

EEnable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

FEnable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

Answer : A, E, F

Question 2

A company is running its application on AWS Malicious users exploited a recent promotion event and created many fake accounts

The application currently uses Amazon CloudFront in front of an Amazon API Gateway API. AWS Lambda functions serve the different API endpoints. The GET registration endpoint is behind the path of /store/registration. The URI for submission of the new account details is at /store/newaccount.

A security engineer needs to design a solution that prevents similar exploitations for future promotion events.

Which combination of steps will meet these requirements? {Select TWO.)

ACreate an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.

BCreate an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration

CSpecify /store/registration as the registration page path Specify /store/newaccount as the account creation path

DEnable AWS Shield Advanced for the account that hosts the CloudFront distribution Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.

EEnable Amazon GuardOuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.

Answer : A

Question 3

A company hired an external consultant who needs to use a laptop to access the company's VPCs Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources.

Which solution will meet these requirements?

Create an AWS Site-to-Site VPN endpoinl in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule. Create an AWS account Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.

ACreate an AWS Client VPN endpoint in the same Region as the B. VPCs. Configure access through an appropriate subnet and authorization rule.

CCreate a gateway VPC endpoint in the same Region as the VPCs. D. Configure access through an appropriate subnet and authorization rule.

Answer : C

Question 4

A company needs to delect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration ot the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

AInstall an Amazon EKS add-on from a security vendor.

BEnable AWS Security Hub Monitor the Kubernetes findings

CMonitor Amazon CloudWatch Container Insights metrics for Amazon EKS.

DEnable Amazon GuardDuty Use EKS Audit Log Monitoring.

Answer : D

Question 5

A security engineer needs to implement a solution to identify any sensitive data that s stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements with the LEAST implementation effort?

AEnable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic.

BCreate an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic.

CConfigure Amazon Made to use managed data identifiers to identify and categorize sensitive data. Create an Amazon EventBndge rule to send notifications to the SNS topic.

DEnable Amazon GuardDuty Configure AWS CloudTrail S3 data events Create an Amazon CloudWatch alarm that reacts to GuardDuty findings and sends notifications to the SNS topic.

Answer : B

Question 6

A company runs a cuslom online gaming application. The company uses Amazon Cognito for user authentication and authorization.

A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that exist in Cognito. The company has already set up a user pool and an identity pool in Cognito.

Which solution will meet these requirements?

ACreate a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.

BCreate a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.

CCreate customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions

DCreate a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.

Answer : B

Question 7

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.

What is the MOST scalable solution that meets these requirements?

APermissions boundaries in AWS Identity and Access Management (1AM)

BS3 bucket policies

CTag policies

DSCPs

Answer : D

Amazon SCS-C02 AWS Certified Security - Specialty Exam Practice Test